Merge #45: Add price oracle fragments

5e533b7 Add price_oracle1 and price_oracle1_w (sanket1729)
b720130 Refactor arith.rs file to support ExtParam in it (sanket1729)
805c66c Add extension spec for oracle checksig (sanket1729)
2844f5e Add some test vector from curl (sanket1729)

Pull request description:

  Unfortunately, I had to use two versions for fragments with type checking rules. `price_oracle1` and `price_oracle1_w`

ACKs for top commit:
  apoelstra:
    ACK 5e533b7

Tree-SHA512: ffef6f7f0635f2022960d5663fa1478c028cce386e2327b28dd7698bceb8c394733cb80a965c880ecdaf6a0ebea81e20f026ba05de825e780468d3e07f413e3b

Author: sanket1729

bitcoind-tests/tests/setup/test_util.rs

@@ -51,6 +51,10 @@ pub struct PubData {
     pub values: HashMap<String, confidential::Value>,
     pub assets: HashMap<String, confidential::Asset>,
     pub spks: HashMap<String, elements::Script>,
+
+    // price oracle test data
+    pub timestamp: u64,
+    pub price: i64,
 }
 
 #[derive(Debug, Clone)]
@@ -134,6 +138,8 @@ impl TestData {
             values: HashMap::new(),
             assets: HashMap::new(),
             spks: HashMap::new(),
+            timestamp: 414315315u64, // Some dummy time
+            price: 50_000i64, // Some dummy price
         };
         let secretdata = SecretData {
             sks,

bitcoind-tests/tests/test_csfs.rs

@@ -3,7 +3,8 @@
 //! CheckSigFromStack integration tests
 //!
 
-use miniscript::{elements, bitcoin};
+use miniscript::extensions::{sighash_msg_price_oracle_1, check_sig_price_oracle_1};
+use miniscript::{elements, bitcoin, TxEnv};
 use elements::pset::PartiallySignedTransaction as Psbt;
 use elements::sighash::SigHashCache;
 use elements::taproot::{LeafVersion, TapLeafHash};
@@ -178,16 +179,48 @@ pub fn test_desc_satisfy(cl: &ElementsD, testdata: &TestData, desc: &str) -> Vec
             let sig = secp.sign_schnorr_with_aux_rand(&msg, keypair, &aux_rand);
             Some(sig)
         }
+
+        fn lookup_price_oracle_sig(
+                &self,
+                pk: &bitcoin::XOnlyPublicKey,
+                time: u64,
+            ) -> Option<(secp256k1::schnorr::Signature, i64, u64)> {
+            let xpk = pk.to_x_only_pubkey();
+            let known_xpks = &self.0.pubdata.x_only_pks;
+            let i = known_xpks.iter().position(|&x| x == xpk).unwrap();
+
+            // select a time ahead of the current test time
+            let time_signed = time + 1;
+            let price = self.0.pubdata.price as u64;
+            let sighash_msg = sighash_msg_price_oracle_1(time_signed, price);
+            let keypair = &self.0.secretdata.x_only_keypairs[i];
+            let mut aux_rand = [0u8; 32];
+            rand::thread_rng().fill_bytes(&mut aux_rand);
+
+            let secp = secp256k1::Secp256k1::new();
+            let sig = secp.sign_schnorr_with_aux_rand(&sighash_msg, keypair, &aux_rand);
+            assert!(check_sig_price_oracle_1(&secp, &sig, &xpk, time_signed, price));
+            Some((sig, self.0.pubdata.price, time_signed))
+        }
     }
 
     let psbt_sat = PsbtInputSatisfier::new(&psbt, 0);
     let csfs_sat = CsfsSatisfier(&testdata);
 
     let mut tx = psbt.extract_tx().unwrap();
+    let txouts = vec![psbt.inputs()[0].witness_utxo.clone().unwrap()];
+    let extracted_tx = tx.clone(); // Possible to optimize this, but we don't care for this
+    // Env requires reference of tx, while satisfaction requires mutable access to inputs.
+    let cov_sat = TxEnv::new(&extracted_tx, &txouts, 0).unwrap();
     derived_desc
-        .satisfy(&mut tx.input[0], (psbt_sat, csfs_sat))
+        .satisfy(&mut tx.input[0], (psbt_sat, csfs_sat, cov_sat))
         .expect("Satisfaction error");
 
+    for wit in tx.input[0].witness.script_witness.iter() {
+        println!("Witness: {} {:x?}", wit.len(), wit);
+    }
+
+
     // Send the transactions to bitcoin node for mining.
     // Regtest mode has standardness checks
     // Check whether the node accepts the transactions
@@ -222,6 +255,19 @@ fn test_descs(cl: &ElementsD, testdata: &TestData) {
     // test combining with other miniscript fragments
     let wit = test_desc_satisfy(cl, testdata, "tr(X!,and_b(pk(X2),a:csfs(X1,msg4)))");
     assert!(wit.len() == 4);
+
+    // test price oracle 1
+    let price = testdata.pubdata.price;
+    let wit = test_desc_satisfy(cl, testdata, &format!("tr(X!,and_v(v:pk(X2),num64_eq(price_oracle1(X1,123213),{})))", price));
+    assert_eq!(wit.len(), 4 + 2); // 4 witness elements + 1 for price oracle + 1 for time
+
+    // More complex tests
+    test_desc_satisfy(cl, testdata, "tr(X!,and_v(v:pk(X1),num64_eq(price_oracle1(X2,1),price_oracle1_w(X3,2))))");
+    test_desc_satisfy(cl, testdata, &format!("tr(X!,and_v(v:pk(X1),num64_eq({},price_oracle1_w(X3,2))))", price));
+    // Different keys and different times
+    test_desc_satisfy(cl, testdata, "tr(X!,and_v(v:pk(X2),num64_eq(price_oracle1(X3,1),price_oracle1_w(X4,23))))");
+    // Combination with other arith fragments
+    test_desc_satisfy(cl, testdata, "tr(X!,and_v(v:pk(X2),num64_eq(div(add(price_oracle1(X3,1),price_oracle1_w(X4,2)),2),price_oracle1_w(X5,2))))");
 }
 
 #[test]

doc/extension_spec.md

@@ -47,11 +47,26 @@ mod(x,y)                | `[X] [Y] DIV64 <1> EQUALVERIFY DROP`
 bitand(x,y)             | `[X] [Y] AND`
 bitor(x,y)              | `[X] [Y] OR (cannot fail)`
 bitxor(x,y)             | `[X] [Y] XOR (cannot fail)`
-
+price_oracle1(K,T)      | `2DUP TOALTSTACK <T> OP_GREATERTHANEQ VERIFY CAT SHA256 <K> CHECKSIGFROMSTACKVERIFY OP_FROMATLSTACK`
+price_oracle1_w(K,T)    | `TOALTSTACK 2DUP TOALTSTACK <T> OP_GREATERTHANEQ VERIFY CAT SHA256 <K> CHECKSIGFROMSTACKVERIFY OP_FROMATLSTACK FROMALTSTACK SWAP`
 
 - The division operation pushes the quotient(a//b) such that the remainder a%b (must be non-negative and less than |b|).
 - neg(a) returns -a, whereas bitinv(a) returns ~a.
-
+- `price_oracle1(K,T)` pushes a 64 bit LE integer(price) of signed with key K. It checks whether the price is signed
+with at a timestamp greater than T. Roughly spea
+    - K can be any `KEY` expression in descriptor format, but it not allowed to be uncompressed key.
+    - T is a 64 byte LE UXIX timestamp.
+    - `1` is the version of the oracle. There can be multiple versions of the
+oracle with different fragments. `price_oracle1` creates a schnorr signature with given key `K` on a message that is
+computed as: `sha256(T1||K)`
+    - The fragment consumes three inputs from stack top: [`signature`, `timestamp`, `price`] where `price` is the
+    stack top.
+    - `price_oracle1_w` must be used when the price_oracle is not the first leaf fragment. When price_oracle is the first
+    argument in fragment, use `price_oracle1`. For example,
+        - `num64_eq(price_oracle1_(K,T),10))` is valid, but `num64_eq(10,price_oracle1_(K,T))` is not.
+        - `num64_eq(price_oracle1_w(K,T),10))` is not valid, but `num64_eq(10,price_oracle1_w(K,T))` is also valid.
+        - `num64_eq(add(10,price_oracle1(K,T)),price_oracle1_w(K,T))` is not valid because `10` is the first leaf terminal.
+        - `num64_eq(add(price_oracle1(K,T),10),price_oracle1_w(K,T))` is valid because `price_oracle1` is the first leaf terminal.
 ## Comparison extensions
 
 As mentioned earlier, `NumExpr` directly does not fit in the miniscript model as it pushes a 8 byte computation result.